NERC Security Guideline for the Vendor Risk Management Lifecycle

Acknowledging that many cyber security risks to critical infrastructure originate with third-party vendors, the North American Electric Reliability Corporation (NERC) has published a Security Guideline for the Vendor Risk Management Lifecycle. The Guideline provides examples of vendor risks and suggested mitigations that organizations should consider as they develop their overall supply chain cyber security risk management plans – not just for the bulk electric system (BES) but also for other critical infrastructure areas such as gas pipelines, electric power generation, transmission and distribution, and other areas.

This post examines the stages of the vendor risk lifecycle as identified in the NERC Security Guideline, and reviews best practices for mitigating cybersecurity risks to critical infrastructure at each stage.

Stages of the Vendor Risk Lifecycle

The NERC Security Guideline identifies the following stages of the vendor risk management lifecycle.

1. Vendor identification through a Request for Proposal (RFP) or otherwise
2. Procurement(s) from the vendor
3. Installation and use of the product or service (including vendor support and patching)
4. Termination of the vendor relationship

The Guideline then suggests that processes should be documented in the organization’s supply chain cyber security risk management plan for both information technology (IT) and operational technology (OT) environments at each stage of the lifecycle. We examine those stages next.

Mitigating Risks Before Procurement

Chapter 1 of the Guideline states that, “While deciding which vendors should be invited to participate in the RFP, the organization could consider the factors of approved entity lists, intelligence sources, and publicly available information (e.g., history of vulnerability handling, web site hygiene).”

To address this Guideline, compare firmographic details, fourth-party technologies, ESG scores, recent business and reputational insights, data breach history, and financial performance of potential vendors in a single table. Centralizing these insights in line with RFx responses gives you a holistic view of suppliers – both their fit for purpose as well as fit according to your organization’s risk appetite.

See the table below for additional suggested mitigations from Chapter 1.

Assessing Risks

Chapter 2 of the Security Guideline states that, “Once a vendor relationship is in place and the organization has begun obtaining products or services from the vendor, the organization needs a process for continually identifying, assessing, and mitigating both residual and new risks posed by the vendor.” To accomplish this, the Guideline suggests some of the steps in the following table.

Mitigating Risks During Product/Service Use

Chapter 3 of the Guideline recommends that the organization ask the vendor to mitigate risks identified in the assessment. The goal of risk mitigation should be to bring its value down to an acceptable level in order to reduce the likelihood and/or impact of the risk.

The Guideline says this can be accomplished through RFP or contractual enforcement, but required remediations are also an important post-contract enforcement. See some selected mitigations from the Guideline in the table below.

Verifying Risk Mitigation

Chapter 4 of the Guideline requires verification that the vendor is complying with policies and mitigation steps. Possible actions include those in the following table.

Purchasing, Terminating, and Transitioning

Chapter 5 of the Guideline reviews the procedures required to terminate a vendor relationship, including those found in the table below.

Next Steps: Meeting NERC Security Guidelines for the Vendor Risk Management Lifecycle

The NERC Security Guidelines for the Vendor Risk Management Lifecycle provide foundational recommendations for mitigating the cybersecurity risks introduced to your critical infrastructure organization. For help in implementing these best practices, schedule a demonstration today.